cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Wayne_Evans
Newcomer III

SDLC definition

Hi All, 

 

I know this is so low level and really context-related but I have been referencing both the SDLC as we been taught as meaning the "Software development lifecycle" but also been referencing ISO 27034 where the definition for SDLC is "Systems Development Life Cycle(s)".  This was raised in peer review in a document as slightly unclear.  

 

They are somewhat interchangeable conceptually perhaps but should ISC2 perhaps adopt the ISO definition instead or tweak it to make it not clash?

 

I just added the acronym twice in my definitions table and expanded on first use in the paragraph to allow context.

Wayne

6 Replies
wimremes
Contributor III

I'd support the adoption of the ISO definition.



Sic semper tyrannis.
Steve-Wilme
Advocate II

The two terms are often used interchangeably in practice.  The plus side of using the system definition is that you'd consider a wider range of things; the hardware, OS, database, middleware, hosting, business processes and training.  Okay you could be just writing a Lambda function or a microservice, but often the undertaking will be non tivial.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
AppDefects
Community Champion


@Wayne_Evans wrote:

I know this is so low level and really context-related but I have been referencing both the SDLC as we been taught as meaning the "Software development lifecycle" but also been referencing ISO 27034 where the definition for SDLC is "Systems Development Life Cycle(s)".  


ISO/IEC 27034 is very useful for building and maturing an application security program. The multi-part series represents much more than traditional thinking in terms of an SDLC, Its focus is upon refining the software engineering practices of an organization no matter how they define their SDLC processes. It would great if we could standardize on one definition, but it is not going to happen. SDLC has simply become an abstraction that does not have to be defined within rigid constructs. What is more important is ensuring that security process are built into CI/CD processes of an organizations software lifecycle and then maturing them.

 

As a CSSLP we need to move the bar forward beyond traditional SDLC thinking and begin to standardize on Agile and CI/CD. Delivering quality (i.e., secure) software in a continuous delivery cycle should be the goal of our "SDLC" and whatever that means to an organization. Having said that ambiguous statement I would much rather retire the use of the term SDLC.

 

Btw. if anyone can't buy the standard then check out Microsoft's Security Development Lifecycle documentation because it is a reflection of it the standard. 

dcontesti
Community Champion


@AppDefects wrote:

As a CSSLP we need to move the bar forward beyond traditional SDLC thinking and begin to standardize on Agile and CI/CD. Delivering quality (i.e., secure) software in a continuous delivery cycle should be the goal of our "SDLC" and whatever that means to an organization. Having said that ambiguous statement I would much rather retire the use of the term SDLC.

 

Btw. if anyone can't buy the standard then check out Microsoft's Security Development Lifecycle documentation because it is a reflection of it the standard. 


Thanks for the link to Microsoft's document.

 

 

denbesten
Community Champion

This discussion highlights a greater thought.  Like many other words, acronyms have multiple definitions. The speaker has the responsibility to include context that makes the intended definition clear.  This might include techniques such as linking to MS's Security page (thanks, @AppDefects!), referring to software or system in an earlier sentence, or even expanding the acronym on first use.

 

Although I generally agree with @wimremes's preference for deferring to standards, one also needs to consider that not all standards are aligned (e.g. ISO 12207 is "...Software Lifecycle...") and that focusing on just one definition, tends to disenfranchise the disciplines that default to the other definitions.

 

 

rslade
Influencer II

> denbesten (Community Champion) posted a new reply in Member Support on

> This discussion highlights a greater thought.  Like many other words, acronyms
> have multiple definitions. The speaker has the responsibility to include context
> that makes the intended definition clear.

True.

Ultimately, though, I have been amused by the discussion, as the main point of
SDLC, whether "software" or "system" (and regardless of either), is the
importance of method, structure, planning, assessment, and cyclical recurrence.
"Method and order!" as Hercule Poirot would say ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Great wits are sure to madness near allied. - John Dryden, 1681
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468